Scientific Annals of Computer Science vol. 28 (2), 2018, pp. 289-337 
doi: 10.7561/SACS.2018.2.289 


Fault-Free Refinements for Interface Automata ! 


Ayleen SCHINKO?, Walter VOGLER? 


Abstract 


A refinement preorder for a model of concurrent systems should be 
compositional (i.e. a precongruence for parallel composition) and should 
not introduce faults into a fault-free specification. Arguably, the 
coarsest such precongruence is the optimal refinement preorder. For 
the model of interface automata, faults are communication errors in 
the form of unexpected inputs. The respective optimal preorder has 
been characterized as the inclusion of two trace sets. Here, we extend 
this result by regarding also quiescence (quiescence and divergence 
resp.) as faults. The latter preorder is coarser, i.e. better, than an 
earlier preorder regarding errors, quiescence and divergence. We also 
present conjunction operators for our settings, avoiding flaws that can 
be found in the literature, and a quotient operator. 


Keywords: refinement, precongruence, conjunction, quotient, quies- 
cence, divergence 


1 Introduction 


Interface automata (IA) [6,7] describe how a system component performs 
input actions and the locally controlled output and internal actions. Arrival 
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of an unexpected input leads to a communication error, and such errors have 
to be avoided. To support the design of error-free communicating systems, 
interface automata are equipped with a parallel composition featuring a 
specific error pruning and with an alternating simulation as refinement 
relation. Both are somewhat arbitrary. To avoid prejudices as far as possible, 
we set out in [4] to find an adequate observable semantics for interface 
automata as follows. 

To avoid preconceptions, we used a standard parallel composition; 
additionally, states with an error are marked, but no other modification 
like pruning is made without justification. Our model is called error-IO 
transitions system (EIO). As a basic observable we took whether an interface 
automaton can run into an error on its own, i.e. whether an error is reachable 
by local actions alone.* Accordingly, a basic requirement for a refinement 
preorder is that a specification without such a locally reachable error cannot 
be refined by an interface automaton with such an error. Technically speaking, 
the preorder should refine (be contained in) the relation Ee where § CBS’ 
unless S has a locally reachable error while 5” has not. Relation me describes 
basic error avoidance. 


A second essential requirement is that the refinement preorder is com- 
positional w.r.t. parallel composition (and possibly other operational con- 
nectives). Formally, this means that the preorder is a precongruence w.r.t. 
parallel composition, i.e. refining a component of a composed system refines 
the overall system. Given a basic requirement as expressed by a we regard 
a preorder as optimal if it refuses an automaton as refinement only if this 
is necessary to achieve these two goals; technically, the preorder should 
be the coarsest precongruence refining Ee. called fully abstract w.r.t. Ee 
and parallel composition. This precongruence can also be understood as 
being obtained from the basic observable when putting the specification 
and the potential refinement into all possible parallel contexts or testing 


environments. 


For the setting above, we characterized the fully abstract precongruence 
as inclusion for two trace sets; this corresponds to the declarative model 
of [9], which was developed to study the behaviour of asynchronous circuits. 
One trace set is the set of error traces. Essentially, these are the traces 
leading to an error and the continuations of such traces, but also some 
pruning on traces is used. The other set is the union of the first set and the 


3Considering only local reachability is usually called optimistic. In [4] also two other 
variations were studied that are called hyper-optimistic and pessimistic. 
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language of the automaton. Although the precongruence was designed to 
ensure that new errors are not introduced during refinement, it is concerned 
with safety in a broader sense: also error-free behaviour of a refinement must 
be allowed in the specification. 


We found that the pruning of [6,7] leads to an equivalent EIO w.r.t. the 
precongruence, if the EIO is deterministic on inputs. The latter is required 
in most papers about interface automata, but not in [6], where the parallel 
composition with pruning — which is only based on intuition — fails to be 
associative. We also showed how pruning can be modified to work properly 
in this general case. 


A problem in interface automata is that outputs are just seen as a cause 
for errors; one can refine each automaton by one that never performs any 
output. This is most often not desirable. To remedy it, one can complement 
the model by may- and must-modalities on the transitions, see e.g. [3] for an 
advanced extension of this kind. Alternatively, one can introduce an artificial 
output action 6 and add a 6-loop to each state that does not enable any 
local action; 6 indicates that the automaton cannot leave such a so-called 
quiescent state on its own. Then, the alternating simulation of [7] makes 
sure that, whenever a refinement cannot perform any output in some state, 
the same holds for each simulating state in the specification; cf. [1]. This 
construction is known from the ioco-approach (input/output conformance) 
of Tretmans [14]. One can also regard quiescent states as faulty as in [5]. 
Additionally, divergent states, which enable an infinite sequence of internal 
transitions, are seen as undesirable there. A motivation for this view is that 
the automaton may e.g. block due to a never-ending and energy consuming 
internal computation. 


Motivated by [5], we continue our work from [4] in the present paper 
as follows. In a first stage, we add to ES the requirement that locally 
reachable quiescence be not introduced in a refinement step, obtaining the 
basic preorder CB ui: This requirement enforces some local actions in the 
refining system, the resulting precongruence preserves liveness in some sense. 
In a second stage, the same requirement for divergent states is added to oul 
For both settings of faulty states, we characterize the resp. fully abstract 
precongruence, adding a set of quiescent traces for the first and, additionally, 
adding divergence traces to the error traces considered in [4] for the second. 


We also show that all the precongruences are compositional for hiding. 
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In this paper, we follow an interleaving approach. For a treatment of 
failures involving so-called true concurrency and considering causality, we 
refer e.g. to [11]. 


It has become popular in recent years to consider also conjunction for 
operational models. At first glance, this might look surprising; but it is 
actually a natural concept since we consider such models as specifications 
that are satisfied or not by other models. A conjunction operator allows 
to specify different facets of an intended system separately and, then, to 
combine them; see [10] for a fairly early contribution and the discussion of 
earlier work therein. Another interesting operator is quotienting, which shows 
how to implement a specification as a parallel composition using an existing 
component. We also exhibit conjunction operators for our precongruences 
and a quotient operator. 


In a setting that disregards errors, quiescence was already studied in [13} 
with a testing approach in the spirit of [8]; this kind of testing is closely 
related to the coarsest-precongruence idea. The quiescence semantics in [13] 
coincides with ours for error-free EIOs. The closest publication to the present 
paper is [5], where also related work is discussed more extensively. There, 
a setting just concerning errors and a setting concerning errors, quiescence 
and divergence are studied. The starting point for both is declarative, i.e. 
considering trace sets without an operational model. The first setting is just 
the same as the one in [9]. For the second, a set of quiescent traces and a 
set of divergence traces are added. Then, both settings are underlaid with 
an operational model like EIO. 

Essentially, the coarsest precongruence result of [4] can also be found 
in [5]. Nevertheless, we will prove it again in the present paper. The first 
reason for this is that our EIOs are slightly more prejudiced than the ones 
in [4]; this makes concepts and proofs much easier and accessible here. All 
our results (except those concerning conjunction and quotient) are shown to 
hold also for the original EIO model in [12]. Furthermore, binary synchro- 
nization is considered in [4], whereas we have multicast here. The second 
reason is that the automata in [5] are slightly more prejudiced than ours. 
Refinement is defined as inclusion for the same trace sets we use, but the 
trace sets used to show compositionality w.r.t. parallel composition in [5] are 
not the same. Furthermore, the full abstractness result is for an equivalence 
and not for a preorder. Thus, our proofs are different, and they are more 
detailed. But the main reason for studying the basic setting again is that 
it gives an easy access to the whole approach, and the proofs are needed 
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anyway for our two new settings. 


The authors of [5] insist that a proper treatment of quiescence requires 
to treat divergence as undesirable as well. Our first new setting studies 
quiescence ignoring divergence. Furthermore, and in contrast to [5], we 
have a full abstractness result for our second setting treating quiescence 
and divergence. This shows that the observable precongruence based on 
observing errors, divergence and quiescence is coarser than the precongruence 
in [5] and, hence, better in the sense of the above optimality. Technically, 
the semantics for the latter has a separate set of divergence traces, which 
is not closed under continuation. Our semantics has one set for error and 
divergence traces, i.e. error and divergence states have the same impact, and 
the whole set is closed under continuation. 

For the two settings in [5], also conjunction (and disjunction) as well 
as a quotient w.r.t. parallel composition are constructed, turning them into 
what is often called interface theories. Our results demonstrate that our new 
settings can serve as interface theories as well. We also point out mistakes 
in the conjunctions of [5]. 

Section 2 gives the basic definitions. Then, we study the coarsest 
precongruences, extending the observable faults stepwise: Section 3 considers 
only errors, and we add quiescence in Section 4 and divergence in Section 5. 
The results on conjunctions can be found in Section 4 and 5, and a comparison 
of the various refinement notions (including the one from [5]) is presented in 
Section 5. Section 6 studies the quotient operator, and we finish with some 
conclusions. 


2 Basic Notions 


We consider labelled transition systems where each transition is labelled 
with an input or output action or with the invisible, internal action 7, which 
is different from all other actions. Systems communicate by performing the 
same action, which is an input of one and an output of the other system. 
If, in a state of a composed system, one component generates an output 
action for another component that is not ready to receive this input, then a 
catastrophic error arises and the state is called an error state. Therefore, 
our systems have distinguished sets of error states. If a state is not ready to 
receive an input 2, the state would not have an i-transition in most [A-like 
approaches. Here, we follow [5] and give the state an i-transition to an error 
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state. Consequently, our systems are input-enabled; we will explain this 
further in Section 2.1. 


Definition 1 (Error-IO Transition Systems). An error-IO transition system 
(EIO) is a tuple S = (Q,I,O,6,q0, FE) with: 


e @ — a set of states, 


e [,O — disjoint sets of input and output actions, where & = [UO is 
the action set and Sig(S) = (I,O) the signature of S, 


e 5CQx (LU {r}) x Q — the transition relation, 
© q@ €Q — the initial state, 
e E CQ — the set of error states. 


We require that S is input-enabled, 7.e. for all p € Q andi € I there 
exists q € Q with (p,i,q) € 6. We call an EIO deterministic, if it has no 
T-transitions and, for each a € &, each state has at most one a-transition. 


The idea of an EIO is that outputs and internal actions are under the 
control of the system, they are called local. In contrast, input transitions are 
only performed if the input is provided by an environment. If not defined 
otherwise, an EIO S' always has the components Q,1/,O,6,qo and E, and 
similarly S; has components Q1, J; etc. This convention also applies to the 
language of an EIO as defined below and for similar constructs. In pictures, 
we write x? for an input x and z! for an output x. An x without ? or ! 
denotes an arbitrary visible action. 

For an EIO S, we derive the following notations from 6: We write p > q 
for (p,a,q) € 6 and p % for 3g € Q: pq, saying that a is enabled in p. 
A state is stable if it does not enable +. Extending the notation to action 
sequences, p —> q means that there exists a run p —> p, “> po... “> q 
such that w = aja2...Q@n where a; € (HU {r}) fori =1,...,n; a run can 
also be infinite. A state q is reachable if qq > q for some w. 

The projection wl], of w onto B arises from w by deleting all actions not 
in BCD. Now pS q if w € D* and Jw’ € (DU {r})*: w' |p =wrp sq; 
we say that the latter run underlies p> q or just w, if the context is clear. 
As above, we write p> for dq: p> q and p> for dq: pq. 

The language of S is L(S') = {w € &* | go 4\, it consists of the traces 
of S. 
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When building specifications in a modular way, the main operators are 
parallel composition and some form of scoping that prevents communication 
on some actions. If such an action is an input, the action is blocked since 
it cannot be triggered by the environment anymore; this does not interest 
us here. In contrast, an output is locally controlled, i.e. never blocked; if 
communication is prevented, it is performed invisibly. Such a hiding turns 
some outputs into T. 


Definition 2 (Hiding). For an EIO S = (Q,I,O,6,qo.E) and some X CO, 
S hiding X is the EIO S/X = (Q,I,O',6',qo, FE) where O! = O\ X and 6’ 
is obtained from 6 by replacing all transition labels in X by T. 


As in IA, component systems working in parallel synchronize on com- 
mon visible actions. Since outputs are controlled by the resp. component, 
components cannot have an output in common. In IA, always an input 
and an output are synchronized (and then hidden); we, as others, allow 
multicast communication: an output can be received by several components, 
and these can consequently synchronize on each common input. Since errors 
are catastrophic, a state of a composition is an error if one of its component 
states is an error, i.e. this error is inherited from a component. 


Definition 3 (Parallel Composition). EIOs S$; and Sz are composable, if 
O,M Op = @. In this case, we define their parallel composition Sj2 := 
Sy || S2 = (Q, i, O” 0, 40; E) as follows. 


e Q=Q1 x Qo, 
I = (11\O2) U (J2\01), 


O=0;,U0Oz,, 


do = (qo1; qo2); 


6 ={((M, 42), 0, (Pi, 92)) | (M1,, Pi) € 61, € (L1 U {7}) \ Le} 
U {((a1, 92), @; (G1, P2)) | (G2, @,p2) € d2,@ € (LQ U {T}) \ Di} 
U{((q1; 92), a; (p1, p2)) | (G1, P1) © 61, (G2, @, p2) € da, 
aeumin da}, 


2 B= (Qi x By)U (Ey x Qa) 


We use the above notation S12 = S\||S2 in an analogous way for other 
systems, e.g. Siz := Si||S; for i,j € N. We call S; a partner of So if 
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Ig C Oy and Og = J; intuitively, S, fully synchronises with Sg but might 
have additional outputs. 


Parallel composition can also be defined on the traces of two EIOs or 
on arbitrary words over alphabets /1 and No. 


Definition 4 (Parallel Composition of Traces). Let S; and Sz be two EIOs. 


e The parallel composition of words w, € UF and wz € U5 is 
Ww ||we i {w € (44 U b2)* | wlsy =u,A wlys> — wy}. 


e The parallel composition of two languages (sets of words) Wy C Xt 
and Wz C X58 ts Wi ||W2 =U {wi||we | wy EW, Awe € Wo}. 


The following lemma is well-known. 


Lemma 5. Let 5S; and Sg be composable EIOs. 


1. Letwe Dia, Wi = w|y, and wa = w/z, ; let (41,92), (P1, P2) E Qy. 
Then (qi, q2) => (1, p2) if and only if q, > pi and qo > po. 


2. Iy2 = L,||Le2 


We call the second and third (underlying) run in Part 1 (of Lemma 5) 
the projections of the first. Each visible action in one of the former two 
corresponds to a unique action in the latter. For prefixes v; of w, and v2 of 
wa, we say that v; ends before, with or after v2 according to the positions 
of their last actions in w. Each prefix v of w determines prefixes v1 of wy 
and v2 of w2 with v € v1||\v2; if the two equivalent statements in Part 1 hold, 
these three prefixes determine prefixes of the three runs that also make the 
statements true. 

We will also have a quick look at the parallel composition used in [7]. 
There, communication is binary, i.e. an output can only synchronize with 
one input. Consequently, we call EIOs S; and S_ strongly composable, if 
1AM. = (hh M Oz) U (O71 M Ip), i.e. (O; ia Oz) == (hh M Ip). 


Definition 6 (Parallel Composition With Internalization). For strongly 
composable EIOs S, and So, their parallel composition with hiding is defined 
as S1|So = Si2/(%1 M bg). 
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2.1 Communication Errors and Basic Requirements 


In our setting, the reaction to an arriving input is always specified due to 
input-enabledness; an input transition leading to an error state means that 
the system is not able to deal with this input properly at the respective state 
and a catastrophic error occurs. Such an error is an unavoidable problem 
for a system S$ only if it is locally reachable, i.e. if qo > q with q € E for 
some w € O*. If S does not have such errors, we say for short that S' avoids 
errors. 

If (q1,q¢2) € Q1 X Qe is a state of a composition, then there might be 
an output transition q, > qi for an input a of S2 that, in the [A-setting, is 
not enabled in q2. In this case, (q1, q2) is designated as an error state — and 
we called it a new error in [4]. In the present setting, we have some q2 > 
with gi € Ey instead; hence, there is the output transition (q, q2) > (q), 44), 
and (q),q5) € Fig is called an inherited error in [4]. Since a is an output, 
the error is already unavoidable in (q1,q2) also in the present setting. In 
other words, input-enabledness does not really change the setting intuitively. 
Strictly speaking, this is a prejudice; it is formally justified in [12], where 
all our results except for the ones concerning conjunction and quotient are 
proven without input-enabledness. The advantage of input-enabledness is 
that we have only one kind of error in Def. 3. Accordingly, the definition 
of error traces below as well as the subsequent proofs become considerably 
easier. The operational model in [5] is even more prejudiced since it requires 
each error state to have a loop-transition for each action. 


In a refinement framework, one clearly does not want to introduce 
an error in a refinement step. To phrase this more technically, we write 
S; CB Sy for ElOs S$; and S2 with the same signature, if 5, avoids errors 
provided S2 does. Then one essential requirement for a refinement preorder is: 
if S, refines So, then S; CB Sy. A second requirement is that the preorder 
supports modular reasoning, i.e. that it be a precongruence for parallel 
composition. Now, a preorder is semantically optimal if it rejects a system 
as a refinement only if these two requirements make it necessary. In other 
words, one should look for the (signature-preserving) coarsest precongruence 
CG for || contained in the basic preorder CB. This precongruence is called 
fully abstract w.r.t. C3 and ||, and was characterized with two trace sets 
in [4,5]. 

In the present paper, we will extend this approach to deal with further 
semantical issues. A state q is potentially problematic, if it is quiescent, i.e. 
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has only input-transitions. On its own, S cannot progress and, hence, is 
deadlocked in such a state. Furthermore, a state q is sometimes considered 
to be as catastrophic as an error if it is divergent, i.e. some infinite run of 
T-transitions starts at q; the idea is that S' can block any communication 
since it gets stuck in this internal run. Our new approaches will show how 
to avoid faults during the design process, where faults are either error and 
quiescent states or error, quiescent and divergent states. Formally: 


Definition 7 (Faults, Preorders). For an EIO S, Qui (or Quig) is the set 
{qEQ|Va Ee OU {rt}: ¢ A} of its quiescent states and Div (or Divs) is 
the set {q € Q| q has an infinite run of r transitions} of its divergent states. 

We say that S avoids quiescence (divergence resp.) if no quiescent 
(divergent resp.) state is locally reachable. 


For EIOs S, and S2 with the same signature, we write S CB ui So, 


(S; CB. S2) if S1 avoids errors and quiescence (errors, quiescence and 


divergence), provided Sz does. Analogously to the above, Cui (CS ;,) ts the 


fully abstract preorder for CB ui = and parallel composition. 


The first main aim of this paper is to characterize CB ui and CY... The 
corresponding trace sets appearing in this paper are based on a pruning and 
a continuation operator defined as follows. Pruning reflects the intuition 
that e.g. an error has as good as occurred if it is locally reachable. The 
second precongruence in [5] differs from ours in that these two operators are 
not applied to the divergence traces there; this makes the precongruence 
in [5] unnecessarily discriminating. Note that we introduce pruning on traces 
just because this is adequate to deal with our ||, which does not involve any 
pruning itself. 


Definition 8 (Pruning and Continuation Function). Let S be an EIO; with € 
being the empty word and §8(M) denoting the powerset of a set M, we define: 


e prune: &* > V* wrhu, witthw=uvu=EeVue d*-T andveO, 
e cont : b* — PB(M*),wrh {wu| ue d*}, 


e cont : B(D*) — P(h*), LH VU {cont(w) | w € L}. 
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3 Preserving Error-Freedom 


3.1 Characterizing CS 


In this section, we demonstrate our approach for the simple case that 
considers errors only. This gives an easy access to our approach, and we will 
reuse the proofs in later sections. The trace-based characterization of eae is 


defined as follows. 


Definition 9 (Error Semantics). For an EIO S, we define the sets: 
e strict error traces: StET(S) := {w € =* | q0 4 ¢ with ¢ € E}, 
e pruned error traces: PrET(S) := {prune(w) | w € StET(S)}, 
e error traces ET(S) := cont(PrET(S)). 
e The error-flooded language of S is EL(S) := L(S)U ET(S). 


We call (ET(S), EL(S)) the error semantics of S. For two EIOs $1, S2 
with the same signature, we write S, Eg So if ET, C ET, and EL; C Ely. 


Intuitively, it is clear that strict error traces are relevant if the reach- 
ability of an error is an issue. We have already argued that an error is as 
good as reached after a pruned strict error trace. Since an error is deadly, 
no further behaviour is relevant; to blur this behaviour, all continuations 
are added. Such a flooding is known from the treatment of divergence in [2]. 
Furthermore, if we want to know whether one system can still reach an error 
when being composed with another system, the (blurred) language of the 
latter is relevant. 


Theorem 10 (Error Semantics for Parallel Composition). For two compos- 
able EIOs S 1,5 and their composition Sj2, we have: 


1. ET 2 = cont (prune ((£T;||EL2) U (EL, ||ET2))), 
2. Ely. = (EL,||EL2) U ET yp. 


Proof: 1. ,,C“: 

Since both sides of the equation are closed under continuation, it suffices 
to consider a prefix-minimal word w of £72, which from the definition is 
contained in PrET 2. Hence, there is some v € Of, such that (qo1, q02) => 
(q1,92) > (a,4) with (¢,¢5) € Eig and w = prune(wv). Projecting 
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the underlying run in the vein of Lemma 5.1, we get qo. = v1 > q, und 
qo2 = qo 3 qo With w € w)||w2 and v € v1 |\v2. W.l.o.g. we assume that 
qd, € Ey. Hence, wv, € StET, C cont(PrET,) = ET\. Since qon =, 
we infer wave € Lo C EL2 and wv € ET\||EL2. By w = prune(wv), we are 
done. 

1. 
Analogously, it suffices to consider a prefix-minimal word x of the r.hs., 
and this is a pruned word. Hence, there is some y € Of, with ry € 
(ET,||EL2) U(EL||ET2), and w.lo.g. cy € ET,||EL2. Due to Lemma 5, 
there are w; € ET, and we € EL, with ry € wy||we. We will show that 
xy has a prefix vu’ € PrET 9; since v’ cannot end on an action in y, it is a 
prefix of x, and we are done. 

Let v; be the shortest prefix of w; in PrET,. If wo € ET», let v5 be the 
shortest prefix of wg in Pr#T,2 and assume by symmetry that it does not 
end before v1 in zy. Otherwise, we let v4 = we, and in both cases v4, € Lo. 


Dur 


i 


The last action of v; determines a prefix v of xy and a prefix v2 
of vy: hence, v € vj|\v2. On the one hand, qo2  q. On the other, 
Ju € OF : 01 S 1 S a, with gi € Ey. By Lemma 5, (qo1, qo2) > (41, @2)- 
By input-enabledness, all actions of wu; that are inputs of Sg can always be 
performed there. Hence, we can extend the latter run by (q1,q@2) (a4, 4), 
and (41,92) € Eis. 

This implies vu; € ET\2; v' = prune(vuj) is in Pr#T 2 and a prefix 
of v and zy. Note that, in particular, the last action of v1 and v might be 
an input in S; and an output in Sj2. We are done. 

2.: The proof for this item is essentially the same as in [4]. From the 
definitions, it is clear that D; C EL; and ET; C EL,;. To understand the 
arguments, read the chain of equations from the right. 


(EL,||EL2) UET 2 2 (Li U ET}) | (Lo U ET2)) UET 2 
= (L1||L2) U (14 ||ET2) U (ET\||L2) U (ET; ||ET2) UET 2 
—_ —— Ses fT 
c 


~~ 


C(EL;||ET2) (ETi||EL2)  C(ELi||ET2) 
1. 1. 1. 
CET 12 CET 2 CET 2 
= (L,||L2) U ET 2 


2 Ly. UET 
2 Bis. 
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Since cont, prune and || are monotonic on languages, this result implies: 


Corollary 11 (Error-Precongruence). The relation Cg is a precongruence 
w.r.t. ||. 


The following lemma is the next step in proving our characterization 
result. 


Lemma 12. Let 51 and S2 be two EIOs with the same signature. If U||S, CB 
U||So for all partners U, then S; Cg So. 


Proof: We write J for 4) = Ig and O for O; = Og. Recall that for a 
partner U we have Iy = O and Oy 2D I; in this proof, we will always have 
Oy = I. We first show ET, C ET2. As above, it suffices to consider a 
prefix-minimal w € BT}. 


e w=e: In this case, S; has a locally reachable error. Let U have just 
one non-error state with a loop for all x € Iy. Thus, 5; can essentially 
reach the same states locally as U||S;, and also U||S2 can reach an 
error locally. This error can only stem from $2, and w € ET». 


© W=21...%nIn41 € Ut? with n > 0 and xn41 € I = Oy: We construct 
the following partner U (see also Fig. 1): 


— Qu = {90,%)---54n41}, 
~ Gou = 40; 
— Ey =9, 
= dn = Gi eerie) | O34 at 
U {(@, @, @n41) | & € Iy\{eizi},0 <i <n} 
U {(qn41, 2; @n4+1) | & € Ivy}. 
Since w € PrET(S}), there is some u € O* with wu € StET(S}). 
Hence, in U||.$,, we have a run (q0, go1) > (dn41,¢") + (dn41, 7) with 


qd € E,. This implies wu € StET(U||S1). Since each action in wu is 
an output in one component, U||S; can reach an error locally. 


By assumption, also in U||S2 an error can be reached locally. In the 
respective run, U and S each perform some 21...x;u’ with some u! € 
If, = O*. With this, Sz reaches a state in Ey, since U does not have any 
errors. Thus, prune(z;...2;u’) = prune(z,...2%;) € PrET2 C ET». 
This implies that 7,...x2; and also w are in ET». 
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LY 
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Figure 1: x? 4 x; represents all x € Iy\{z;} 


It remains to show EL, C EL». For this, it now suffices to consider 
some w € Ly. Since clearly « € EL, we can assume w = 21...2%, with 
n> 1. We construct the following partner U (see also Fig. 2): 


e Qu = {dosdiys 29's hs 
© dou = 4; 
e Eu = {dn}, 


© du ={(Gi, Ti41, G41) |O<t <n} 
U {(Gi,®, 9) | LE Iy\{xi41},0 <i< n} 
U {(Gn) £5 Qn); (45230) | LE Ty}. 


Ly x2 In-1 Ln 
2 —— _ In-1 —]| dn € Ev 
So 


x? ely 


“36 qd Tw 
<7 t) at a 
x? ely 


Figure 2: x? # x; represents all x € Iy\{zi}, dn is the only error state 


Since w € Ly, U||.S; and thus also U||.S2 can reach an error locally. If 


this error stems from gy, then w € Lg C ELg. If this is not the case, Sz has 


some strict error trace 7,...x2;u with u € Ij; = O*. Then, some prefix of 


“1...X; is a pruned error nace and again w € EL». 
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The next theorem states that Eg is the coarsest precongruence we have 
been looking for. In particular, this means that, if one is interested in a 
precongruence w.r.t. || that refines eee one needs a relation as fine as Ep. 
What we prove is actually stronger: it suffices to be interested in a relation 
that is compositional w.r.t. || just for partners and that refines C3 just on 
systems without inputs. On such systems, which result from the composition 
with a partner, local reachability coincides with reachability. That we do 
not want to introduce a reachable error in a refinement step if there was not 


one initially, is possibly even more convincing than ons 


Theorem 13 (Full abstractness for Error Semantics). For two EIOs Sj 
and So with the same signature, we have S41 Le So = S; Ep Sb. 


Proof: yo": If S$; Ee So and S$; can reach an error locally, we have 
€ € ET, C ET». This implies that S2 can also reach an error locally, thus 
Cr is contained in Ee 

As stated in Corollary 11, Eg is a precongruence w.r.t. ||. Since a is 
the coarsest precongruence w.r.t. ||, C~ is contained in Cy. 

»=“: Since CG is a precongruence, we have U||S; CG U||S2 for all 


partners U. Since C& is contained in C3, this implies U||S; CB U||S2 for 


all partners U. With Lemma 12, we get S; Ep So. 


3.2 Hiding and Error-Freedom 


Since hiding turns outputs into 7, i.e. some local actions into another one, 
local reachability remains the same. This is essential for the following result 
to hold. 


Theorem 14 (Error-Precongruence w.r.t. Internalization). Let S be an 
EIOs. Then: 
(i) L(8/X) = {w € (Z\X)* | dw! € £(S):w'ls\x = w}, 
(ii) ET(S/X) = {w € (2\X)* | Jw’ € ET(S): w'ls\x =u}, 
(iti) EL(S/X) = {w € (2\X)* | Jw! € EL(S): w'|s\x = wh. 
Hence, Cpr is a precongruence w.r.t. hiding as well as w.r.t. parallel 
composition with hiding. 


Proof: Part (i) is obvious. It only remains to show Part (ii). Then, 
Part (iii) follows, which implies the first and then, with Cor. 11, the second 
precongruence statement. 
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We consider some w € ET(S/X). There are a prefix v € PrET(S/X) 
of w and some u € Og) with vu € StET (S/X). The respective underlying 
run of vu exists in S as well, except that some 7-transitions might be labelled 
by outputs from X in S. Hence, there are v’ and wu’ such that v'|y\x = v, 
u'ls\x = u, u' € O* and v'u' € StET(S), v' like v does not end with an 
output. (For the latter, u’ has to start immediately after all actions of v have 
been performed.) Hence, v’ € PrET(S), and the same word that extends v 
to w extends v’ to a suitable w’ € ET(S). 

Vice versa, consider some w’ € ET(S). There are a prefix v’ € PrET(S) 
of w’ and some u’ € O* with v’u’ € StET(S). The respective underlying 
run of v’u’ exists in S/X as well, except that transition labels from X are 
replaced by 7. Since v’ does not end with an output, the same holds for 
v=v'|y\x- Thus, v € PrET(S/X), and v is a prefix of w’|y\ x; we are done. 


4 Preserving Freedom From Quiescence 


4.1 Characterizing = 


In this section, we will consider quiescence as an additional fault. The 
resulting fully abstract precongruence will also be a precongruence for hiding, 
even though we do not consider divergence in this approach. Recall the 
definition of quiescence, CB us and Cb us in Section 2.1. To characterize ail 
we extend the error semantics by a third set of quiescent traces or qsc-traces 
for short. Behaviour after an error, including quiescence, does not matter; 
hence, qsc-traces are flooded with error traces. In contrast to an error, a 
quiescence in one component can be escaped by suitable behaviour of the 
other. Thus, qsc-traces are not closed under continuation. They are a subset 
of the language, so flooding EL with qsc-traces would not have an effect 


anyway. 


Definition 15 (Quiescence Semantics). For an EIO S, we denote the set 
of quiescent states by Qui (or Quis) and define the following trace sets: 


e strict qsc-traces: StQT(S) := {w Ex*|qSaqae Quit, 
e (error-flooded) qsc-traces: QET(S) := StQT(S) U ET(S). 


We call (ET(S), QET(S), EL(S)) the quiescence semantics of S. For 
two EIOs $1, S2 with the same signature, we write S; Egui S2 if S1 Er Se 
and QET, Cc QET». 
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Due to input-enabledness, the following lemma is obvious from the 
definitions and Lemma 5.1.4 


Lemma 16. 1. A state (q@1,q2) of a parallel composition Sj, is quiescent, 
if and only if the states q, and q2 are so in S1, So resp. 


2. Let w € Sig, w1 = wly, and wo = wly,. Then, w © StQTi2 if and 
only if wy € StQT, and we € StQT». 


We list Part 1 and 3 in the following theorem to present the complete 
semantics; they have already been proven in Thm. 10. 


Theorem 17 (Quiescence Semantics for Parallel Composition). For two 
composable EIOs $1, S52 and their composition S12, we have: 


1. ET 2 = cont (prune ((£T;||EL2) U (EL, ||ET2))), 
2. QET 2 = (QET,||QET2) U ET 2, 
3. Ely2= (EL,||EL2) U ET 9. 


Proof: | We only have to prove Part 2. For the inclusion, it suffices to 
consider some w € StQT}2, and this case is settled by Lemma 16.2. For the 
reverse inclusion, it suffices to consider some w, € QET, and wa € QET). 
If one of these is an error trace, we are done by Part 1, otherwise again by 
Lemma, 16.2. 

Again, we have the following consequence by monotonicity. 


Corollary 18 (Quiescent Precongruence). The relation Egy; is a precon- 
gruence w.r.t. ||. 


We now consider the communication with partners, taking also quies- 
cence into account. 


Lemma 19. Let 5; and Sp be two EIOs with the same signature. If 
U||S4 Cb ui U||So for all partners U, then S; Eau S2- 


Proof: We will modify and extend the proof of Lemma 12. Here, we 
restrict ourselves to partners with Iy = O and Oy =I U {w} with a fresh 
action w. This action allows the partner to prevent quiescence. In this but 
not the next section, we could replace w by 7 and still have Oy = I. 

We first show ET, C ET». and consider a prefix-minimal w € ET). 


“In a setting without input-enabledness, the forward implication in Part 1 (of Lemma 16) 
only holds if (qi, gz) is not an error. 
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e w =e: In this case, 5S; has a locally reachable error. Let U have just 


one non-error state with a loop for w and all « € Iy. Thus, S; can 
essentially reach the same states locally as U||S,, and U||S2 can reach 
an error or a quiescent state locally. The latter is impossible due to 
the w-loop, and the error can only stem from $2; it can be reached 
without involving w, and thus w € ET». 


W = 21...2n%n41 € U* with n > 0 and rni1 € I C Oy: We construct 
the same partner U as for Lemma 12, but with an additional w- 
transition from each state to gn+1; see Fig. 3. Similarly, we derive that 
in U||S2 an error or a quiescent state can be reached locally; since the 
latter is impossible, we conclude as for Lemma 12. For wu’ in the resp. 
proof, note that it can have ws in addition to outputs from O. But 
since U is input-enabled, Sy can perform these outputs in the same 
way without intervening ws; so we can assume u’ € O* and proceed as 
in the proof of Lemma 12. 


x? € Iy,w! 


Figure 3: x? # x; represents all x € Iy\{z;} 


Next, we consider FL, C EL. As in Section 3.1, it suffices to consider 


some w = 21...%n € Ly with n > 1. We modify the partner U from 
Lemma 12 in the same way as in the previous case; see Fig. 4. Since the 
w-transitions make sure that there are no quiescent states in any of the two 
compositions, the proof now works as for Lemma 12. 


For the remaining inclusion, we have to prove that any w = 71...%n € 


StQT, with n > 0 is also in QET»2. We construct the following partner U; 
see Fig. 5: 


bd Qu = AGOMGig ieee dts 


© dou = 4; 
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Figure 4: x? # x; represents all x € Iy\{x;}, qn is the only error state 


bd Eu = 9, 


© bu ={(G, Zi41, G41) |O<t <n} 
U {(a:, 2,9) | « € Iy\{zin1},0 <i < n} 
U{(G,4,q) |O<i<n} 
U{(dn,2,q) |x € Iu} 
U {(q,a,q) | a € Ip U {oH}. 


e 
Sey 


x? € Iy,u! 


Figure 5: x? # x; represents all x € Iy\{2;}, dn is the only quiescent state 


Clearly, w reaches a quiescent state in U||S; and consists of outputs 
only. By assumption, also U||.S2 can reach an error or quiescent state locally. 


a) If an error is reached locally, it is inherited from 5; to reach it, S2 
performs a prefix of w and possibly some more outputs. We are done 
as in the case for ET-inclusion. 


b) If a quiescent state is reached locally, Sz performs w and reaches a 
quiescent state itself. Hence, w € StQT2 C QET». 
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Now we can prove that Eg,,; characterizes the coarsest precongruence 


. . —B 
contained in C Oust: 


Theorem 20 (Full Abstractness for Quiescence Semantics). For two EIOs S1 
and Sy with the same signature, we have S41 CO ui So S1 Equi S2- 


Proof: The proof is essentially the same as the one for Theorem 18, 
using Lemma 19 instead of Lemma 12. To conclude that Eg, is contained 
in CB ui one only has to add: If S$; Egy; S2 and S$; can reach a quiescent 
state locally with some w, we have w € QET, C QET»2. Then either S2 can 
reach an error locally, or w € QET2 \ ET2 C StQT2 and S$ can also reach 
a quiescent state locally with w. 


4.2 Hiding, Conjunction and Quiescence 


Since only outputs are hidden, hiding does not change the quiescence status 
of a state. Therefore, it is easy to see the following result in the light of 
Theorem 14: 


Theorem 21 (Quiescence Precongruence w.r.t. Internalization). Let S be 
an EIO. Then: 

(i) ET(S/X) = {w € (2\X)* | Jw’ € ET(S):w'ls\x =u}, 

(ii) EL(S/X) = {w € (2\X)* | 3w! € EL(S): w'/|p\x = wh}. 

(iti) StQT(S/X) = {w € (Z\X)* | Jw! € StQT(S): w'|s\x = wh, 

(iv) QET(S/X) = {w € (\X)* | Jw! € QET(S): w'|s\x =v}, 

Hence, Egui is a precongruence w.r.t. hiding as well as w.r.t. parallel 

composition with hiding. 


To show that the new Eg, is a feasible basis for an interface theory, 
we will now define an operator /A that satisfies the defining requirement for 
a conjunction, i.e. the refinements of 5S; /\ S2 (if it exists) are the common 
refinements of S; and So. For this to hold, S; and Sz: must have the same 
signature (J,O). Observe that conjunction is determined by the refinement — 
up to the equivalence contained in the refinement. 

Optimally, ET(S,A$2) will be ET, ET», because only those traces are 
allowed to reach errors locally in both automata. Analogously intersection 
is optimal for EL and QET. Naturally, 5; A S2 should be some Cartesian 
product with error set Ey x E2, such that StETs,,9, = StET, 1 StET». 
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But in view of pruning and continuation for ET, this does not work directly, 
and we will first normalize the EIOs. 

To see why, let i € I and 0,0’ € O, and assume that io € StET, \ StET» 
and io! € StET> \ StET,. Neither io nor io’ will reach an error in the 
Cartesian product, but 7 is a common error trace. To make sure that it is 
an error trace in the product, we will prune S; and 5S» according to Step i) 
below. This step is in essence very similar to the pruning applied during 
parallel composition in [6,7]. Also, we could have 7 € StET; \ StET2 and 
it € StET> \ StET,. In this case, neither i nor zi will reach an error in the 
Cartesian product, but 77 is a common error trace. Consequently, we will 
cater for continuation in Step ii) below. 


s| s' CIK| RI 
qo % go \ q r0 

a? | a? | a? | 4? | 
a al ee ioe 


Figure 6: CJK: conjunction according to [5], R: some common refinement 


In [5], a construction is used for conjunction w.r.t. Eg that is the Carte- 
sian product with error set Ey x E,. Since e “, € is required for each e € E 
and a € SU {r}, the second problem does not arise. But due to the first 
problem, the construction is wrong there e.g. for S and S$’ in Fig. 6, which 
have the common input 7, outputs o, o’ and error trace 7. The conjunction 
according to [5] shown does not cover the common refinement R of S and S$’. 
Our construction would normalize S and 5S’ to the same automaton. Hence, 
also our conjunction would be the same automaton and look like the au- 
tomaton C.JK except that the state q, A gq, would be an error state with a 
loop for all actions in &. 


Definition 22 (Normal Form). An EIO S is in normal form (NF), if E 
has just one element, E = {e} say, and the following hold: e “+ e for all 
aé€d,qSeAqse implies a € I, ande > q implies q =e. 
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The normal form of S is the EIO NF(S) obtained from S with the 
following two steps: 


i) Define E := {q| dq’ € E, we O*: gq} and replace E by E. 


ii) If qy € E, let NF(S) == ({a0},1,0, {40 > 40 | @ € E}, 40, {a0}). 


Otherwise, add a new state e, which becomes the only error state. 
Whenever q % qd’ with qd! € E andq¢ E for some a € SU {r} (then 
necessarily a € I), remove all a-transitions from q and add a transition 
q—>e. Finally, add alle 4 e with a €%. 


Clearly, NF(S) is in normal form. Step i) does not change the runs, 
nor whether a state is quiescent or not. It does change StET, but neither 
PrET nor ET. Thus, the result is equivalent to S w.r.t. EQu; and hence 
Cr. In the first case of Step ii), we have ET(S) = 5* = ET(NF(S)). In 
the second case, the step does not change whether a state is quiescent or 
not. We may gain runs that use some e “4 e, but their traces are in ET(S) 
and ET(NF(S)). We may also lose runs that use some q “> q’ in S that is 
removed in Step ii); but their traces are again in ET(S) and ET(NF(S)). 
Since ET(S) = ET(NF(S)) and all relevant trace sets are flooded with ET, 
NF‘(S) is equivalent to S w.r.t. Cou; and hence Cp. So we have: 


Proposition 23 (Normal Form). Each EIO S is equivalent to NF(S) w.r.t. 
Cou and Ep. 


Thus, we can assume that an EIO is in normal form if we wish. The 
above transformation is efficient for finite EIOs: For Step i), one performs 
in linear time one breadth first search (BFS) from the states in FE via the 
reversed local transitions. For the non-trivial case of Step ii), one performs 
one BFS from go without traversing transitions that have to be deleted. All 
states not visited are unreachable in NF(S) and can be removed, so that 
NF(S) might be much smaller than S. We have the following easy lemma. 


Lemma 24. /f an EIO S is in normal form (with error state e), w € ET(S) 
if and only if w arises from a run reaching e, and w € EL(S) if and only 
if w arises from a run. Thus, EL(S') = L(S). 

Now we are ready to define A. 


Definition 25 (Conjunction). Let S; and S_ be EIOs with the same signa- 
ture (1,O), which we assume to be in normal form (with error states e1, €2). 
We define S := $1 x Sz as follows: Q = Qi X Qo, the signature is (I,O), 
qo = (901; 902), EB = Ey x Eo = {(e1, e2)}, and 6 consists of all 
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((q1, G2), @, (p1, p2)) for (q1, 4, p1) € O1, (q2, G, p2) € oD) anda e€ x, 
((q1, 92), 7; (p1,92)) for (q1,7,P1) € O1, 
((q1,92),7 (G1, P2)) for (q2,7,p2) € da. 


Si A S2 is obtained from S by adding a T-loop to every (q1,q2) € Qui if 
one of the q, is neither quiescent nor an error. 


The addition of the 7-loops makes sure that states in the product are 
not wrongly quiescent. We close this section by showing that / is really a 
conjunction in the settings of this and the previous section. This implies 
also that A is commutative, associative and compositional, cf. e.g. [3]. 


Theorem 26 (Conjunction). For three EIOs R, S; and S2 with the same 
signature, we have that R Equi S1 A So if and only if R Cau Si and 
R EQui S2; the same holds for Eg. 


Proof: Since A involves normalization, we can assume that S; and S» 
are in normal form. Furthermore, the Cartesian product is known from 
automata theory as a construction for the intersection of languages of 
automata with final states. Hence, we can derive from Lemma 24 that 
ET(S, A S2) = ET, ET» and EL(S) A $2) = EL, EL2; we are done once 
we have shown the analogous statement for QET. 

First, consider some w € QET; 1 QET>. Then, for i € {1,2}, w can 
be performed to reach some q; € Q; that is quiescent or the error. Thus, 
no T-loop is added to (qi, q2) in S; A S2, and (qi, q2) is quiescent due to a 
quiescent component or equal to (e1,e2). Hence, w € QET(S A $2). 

Second, consider some w € QET(S) A S2). If w € ET(S; A $2), then 
w € QET, and w € QET>. Otherwise, w € StQT(S; A Sp) due to some 
(q1,92) € Qui. Since (q,q2) has no t-loop, we conclude that each q; is 
quiescent or the error, implying w € QET, MN QET». 


5 Preserving Freedom From Divergence 


5.1 Characterizing Ca 


In this section, we will additionally treat divergent states as faulty. Recall the 
definition of divergence, Div, eae and Se in Section 2.1. To characterize 
CS,,. we modify the quiescence semantics further to cater for divergence. 
Since divergence cannot be prevented by another component in a parallel 
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composition, it is as catastrophic as an error. Consequently, we will define 
divergence traces, or div-traces for short, with pruning and continuation. 
We will add these div-traces to FT and use the extended set for flooding 
the other two trace sets of the semantics. 


Definition 27 (Divergence Traces). For an EIO S, we define the following 
trace sets: 


e strict div-traces: StDT(S) := {w Ex |g ge Div}, 
e pruned div-traces: PrDT(S) := {prune(w) | w € StDT(S)}, 
e div-traces DT(S) := cont(PrDT(S)). 


Definition 28 (Divergence Semantics). The divergence semantics of an 
EIO S consists of: 


e the set of error-div-traces of S: EDT(S) := ET(S)U DT(S) 
e the set of flooded qsc-traces of S: QDT(S) := StQT(S) U EDT(S) 
e the flooded language of S: EDL(S) := L(S)U EDT(S). 


We call (EDT(S),QDT(S), EDL(S)) the divergence semantics of S. 
For two EIOs $1, So with the same signature, we write S, Epiy So if HDT 1 C 
EDT2, QDT; CQDT»2 and EDI, © EDL». 


Although the new refinement is closely related to the previous ones, 
the sets in the semantics above are all different from previous sets. In fact, 
Epi, is incomparable to the two earlier precongruences. For comparison, we 
also introduce the quiescence- and divergence-sensitive precongruence EoyK 
from [5]: it is the component-wise inclusion of the trace sets ET, ETUStDT, 
ET UStDT UStQT and EL. From the definitions, it is obvious that Cou; 
and CoyK are contained in Eg. Furthermore, Eojx is contained in Epjy: 
Closing the second trace set of the former semantics under pruning and 
continuation gives EDT; flooding the third and the fourth set with EDT 
gives QDT and EDL; thus, inclusion carries over. Using the EIOs in Fig. 7, 
we will now show that these inclusions are strict and no other inclusions 
hold; these relations between the four precongruences are depicted in Fig. 8 
below. 

5S; and Sg are equivalent w.r.t. Cou; (hence Cg), but =$; Epi, Sz due 
to the immediate divergence, hence also =S; Eoyx S2. Furthermore, 54 
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S, — 401 SULT So — 2 Do! 
ol. q4 
$3 [qos € E[_)ol,t Sa — Goa 
o! G24 DT 


| 
Ss — 95 > as ee as 


Figure 7: Examples disproving some inclusions 


and 55 are equivalent w.r.t. Eoyx (hence Eg), but = $4 Egy; S5 due to the 
quiescence after 0; observe that, for Ec yx, this quiescence is covered up by 
the strict divergence trace o. This settles in which precongruences Eg,, Ex 
and CoyxK are contained. 

Finally, S and $3 are equivalent w.r.t. Epj, since errors and divergences 
are considered equally bad. But S3 is not a refinement of 5; in any of the 
other three settings, which respect ET. We conclude: 


Cou — Cp 


Louk > Epiv 


Figure 8: Inclusions between precongruences 


Theorem 29 (Comparison of Precongruences). All inclusions between Cou, 
Cr, ECpiy and lcyK are depicted in Fig. 8 as arrows; these inclusions are 
strict. 


To shed more light on the difference between Cp;, and Eoyx, consider 
the EIOs in Fig. 9; a represents i or o. Observe that, no matter how a is 
chosen, the EIOs have no error or quiescent states. We have R; Epi Ri due 
to the immediate divergence in Ri, but Coyx fails since cont is not applied 
to StDT. On the other hand, Ri, Epi, Ro since we apply prune to StDT, 
whereas Cc yx fails. 

Presumably, the authors of [5] consider it unconvincing that quiescence 
can be resolved by invisible actions alone; at the same time, they regard it 
as good enough if an output action is performed after some 7s. But this 
does not mean that e.g. the divergence in 5S) above is problematic since an 
output is possible all the time. 
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e 
0 7?, o! 
a, 11 — 91 —)??, a! 
Ra — 1 
i?,0! q21 — > 7?, ol 


T i? ol 
af, Or ; 
(y Oh q12 ——> 932 > 7?, o! 
Ri, — %2 
2,01 22 ~ io) 


Figure 9: Difference between Ep;, and EosK 


And if divergence really is a problem in any case, then it cannot be ‘left 
behind’ due to activity of the environment as in the case of a quiescence. 
Consequently, it should be treated like an error as in our setting. We believe 
the idea we ascribed to the authors of [5] would be adequately formalized 
by calling state q not quiescent if g = for some o € O. We suspect that 
developing the setting of the previous section with this notion of fault could 
be difficult. 


To proceed, we show compositionality for Epjy. 


Theorem 30 (Divergence Semantics for Parallel Composition). For two 
composable EIOs $1, S2 and their composition S12, we have: 


1. EDT 2 = cont (prune ((EDT\||EDL2) U(EDI\||EDT2))), 
2. QDT 12 = (QDT\,||QDT>2) U EDT 2, 
3. EDIyg = (EDI,||EDL2) U EDT}. 


Proof: The proof is the same as the combination of the proofs for 
Theorem 17 and 10; throughout, one has to treat divergent states and 
error-div-traces in the same way as error states and traces above. 


Corollary 31 (Divergence Precongruence). The relation Cpjy is a precon- 
gruence w.r.t. ||. 


We now continue to characterize Ae in the same way as in the previous 
sections. 
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Lemma 32. Let S; and Sp be two EIOs with the same signature. If 
U||S4 ose U||S2 for all partners U, then Sy; Cpiy So. 


Proof: For Lemma 19, we modified and extended the proof of Lemma 12. 
Here, we point out that the modified version works for the present lemma as 
well. The only change is that, instead of an error state, an error or divergent 
state has to be considered — and similarly, EDT instead of ET etc. and 
StET UStDT instead of StET etc. 

Now we can conclude that Ep;, characterizes the coarsest precongruence 
contained in ee The proof is again analogous to those of Theorem 13 
and 20; in particular, we have to replace error state by error or divergent 
state. 


Theorem 33 (Full Abstractness for Divergence Semantics). For two EIOs S1 
and So with the same signature, we have S41 cen So & S1 Epiy So. 


5.2 Hiding, Conjunction and Divergence 


In a divergence-sensitive setting, precongruence for hiding usually needs 
some finiteness condition. In our study of hiding, we restrict ourselves to 
finite EIOs and to the hiding of single outputs to keep concepts simple. 
Hiding of finite sets can be obtained by repeating such hiding. We write S/o 
for S/{o} if o € O. Note that, in the following result, EDT (S/o) is obtained 
from EDL(S); it is larger than just {w | dw! € EDT(S) : w'|y\4o} = w}. 
Due to the latter, the other two sets need a new flooding. 


Theorem 34 (Divergence Precongruence w.r.t. Internalization). Let S be a 
finite EIO ando € O. Then: 
(i) EDT(S/o) = 
cont (prune ({w | Sw’: w'|s\fo} = WAVn = 0: w'o” € EDL(S)})), 
(ii) EDL(S/0) = {w | Jw’ € EDL(S) : w'|y\{o = w} U EDT(S/o), 
(ii) QDT(S/o) = {w | Jw! € QDT(S) : w'|s\4o} = w} U EDT (S/o) 
Hence, Epiy is a precongruence w.r.t. hiding as well as w.r.t. parallel 
composition with hiding on finite EIOs. 


Proof: Part (ii) and (iii) should be clear from earlier considerations. It 
only remains to show Part (i). Then, the precongruence statements follow. 

»C: Since the r.h.s is closed under pruning and continuation, it suffices 
to consider w € StET(S/0)UStDT(S/o). Such aw arises from some qo => q 
and the same run in S gives some w’ with w'|p\ 1} = w. 
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If w € StET (S/o), the run results in w’ € StET(S) so that the second 
condition follows from continuation closure. If w € StDT(S/o), then q is 
divergent in S, implying the second condition in the same way, or q enables 
an infinite trace o”. In the latter case, the second condition is immediate. 


»2“: Consider some w’ as specified. If some w'o"” € EDT(S), closure 
under pruning implies that some prefix v’ of w’ is in PrET(S)U PrDT(S). 
Then v'|y\ 40} is in ET(S/o) by Theorem 14 ii) or similarly in DT(S$/o0). This 
implies w'|y\¢9} € EDT(S/o) by closure under continuation. 

Otherwise, we have w’o” € L(S) for all n. For n = |Q|, some state 
occurs twice along o” on a run underlying w’o”. This state is divergent in 
S/o, and the run to this state shows w'|y\1.} € EDT(S/o). 

Conjunction is more difficult for the setting in this section. In particular, 
adding a T-loop as in Def. 25 would add a fault, which is not allowed. Ifa 
trace is neither quiescent nor divergent and state q is reached by this trace, 
we can follow a (possibly empty) path of 7-transitions from q until we reach 
a stable state; this must enable an output. In other words, q is not quiescent 
in the sense that g > for some o € O, as discussed before Thm. 30. We note 
formally: 


Lemma 35. For each EIO and w € EDL \ QDT, there is some o € O with 
wo€ EDL. 


If we consider two EIOs and the component-wise intersection of their 
divergence semantics (with sets EDL, QDT and EDT) we might get a 
trace w € EDL \ QDT such that wo € EDL holds for no output o, see 
the example after Def. 38. Such a trace demonstrates a local inconsistency, 
which we have to remove in the conjunction. Since this problem arises on 
the level of traces, we have to collect the states reached by the same trace in 
a standard powerset construction. 

But first of all, we show how to transform an EIO into a divergence-free 
normal from. 


Definition 36 (Divergence Normal Form). The divergence normal form 
of S is the EIO DF(S) obtained from S as follows. First, we construct S' 
by adding all divergent states to E. Second, we set DF(S) = NF(S’) (c.f. 
Def. 22). 


S and S’ have the same runs and quiescent states. Hence, they are 
equivalent w.r.t. pj, since error and divergent states are treated the same 
way. We have EDT(S’) = ET(S’) and can conclude that the divergence 
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and the quiescence semantics of S’ coincide, i.e. we also have EDL(S’) = 
EL(S’) and QDT(S') = QET(S’). Furthermore, the construction of N F'(S’) 
removes all divergent states and does not add any new one. Thus, DF(S) is 
divergence-free and equivalent to S w.r.t. Epjy by Prop. 23. The additional 
claims in the following proposition are obvious. 


Proposition 37. Each EIO S is equivalent to DF(S) w.r.t. Epiy. The 
latter is divergence-free and in normal form. 

If S is divergence-free, we have EDT(S) = ET(S), QDT(S) = QET(S) 
and EDL(S) = EL(S). For such EIOs, Cpi, and Cex; coincide. 


Thus, we can assume that an EIO is in normal form and divergence-free 

if we wish. The above transformation is efficient for finite EIOs since we can 
determine S’ efficiently: 
We consider only the 7-transitions of S and determine with a suitable variant 
of depth first search (DFS) the strongly connected components (SCCs). Call 
an SCC trivial if it consists of a single state without a loop. All states in 
non-trivial SCCs are divergent. The states that can be reached from these 
‘core-divergent’ states via reversed 7-transitions form the set of divergent 
states; they can be determined with one DFS. 

Now we will define the conjunction operator, which we denote by A 
again. 


Definition 38 (Conjunction). Let S; and S2 be EIOs with the same signa- 
ture (I,O), which we assume to be divergence-free and in normal form (with 
error states €1, e2). Consider S := S1 x S2 as defined in Def. 25. 

We construct the power-EIO 8(S) of S as follows: the state set is 
the powerset B(Q) denoted by Qs, the signature is (I,O), gop = {(41, 42) | 
(qo1, Yo2) S (q1,92)}, Ep = {P | (e1,e2) € P}, and dy consists of all 
transitions P * {(qj,q) | H(m,@2) € P: (a, @) SS (d,45)} witha ed. 
We restrict B(.S) to the reachable part and, whenever qo + P, we denote P 
also with Py. 

We say that P € Qs allows quiescence (modulo errors) if 3(q1, 492) € P : 
q is quiescent or q; = e; for each i = 1,2. 

Next, we define the inconsistency set § C Qy as the least set that 
contains P whenever 


i) Ai € I such that P + P’ and P’ €&, or 


it) P does not allow quiescence, and P! € § whenever P *> P! with o € O. 


318 A. Schinko, W. Vogler 


Si A S2 is obtained from B(S') by removing all states in § (including the 
incident transitions) and performing the following quiescence correction: If 
P ¢ Ex U§ is not quiescent but allows for quiescence, we add a fresh state P 
that inherits all incoming transitions and all outgoing input transitions 
from P. 


Note that condition ii) of the inconsistency set construction in Def. 38 
covers the base case of those P that have no output transition. 


‘Ma ! 
Gee af Se a8 
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O: 
Ge U 
Pol a? 
‘| o'! 34! OD 
Oo 3D 7 
Bio) == 1 a! 

O99 AO 
oat. 2 a, 23° p45" OE 
420: a? 

ol ae i 
>] > 3 > 5 > 6 Di? oll 34! =i? 
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Figure 10: First example for Def. 38 


Before proving the characteristic property of conjunction, we look at 
two examples, which are without error states and 7-transitions. Fig. 10 
shows EIOs 5; and 52, as well as their power-EIO and conjunction. The 
trace w = ot is quiescent in $8(.9) since S; forbids o' and S$ forbids o after 
w; but it is not quiescent in S;. Thus, a common refinement of S; and S92 
cannot have trace w. This is the situation we referred to after Lemma 35. 

Correspondingly, state {42’, 45’} does not allow quiescence due to state 4, 
and the second part of 38 ii) holds vacuously since {42’,45’} has no output 
transition. Thus, this state is inconsistent, implying with i) that {22', 23’} 
is inconsistent as well. Observe that an EIO with trace o would also have 
trace ot. We conclude that § = {{42',45’}, {22’, 23’}}; in particular, {11’} 
has an output transition to {34’} ¢ §. 
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Figure 11: Second example for Def. 38 


The next example in Fig. 11 shows the effect of using a powerset as 
state set. Here, § = @ since 38 ii) never applies: The first and the third state 
have an output; {22’,32’} and {74’} allow quiescence due to 32’ and 74’ resp. 


A critical point is that 22’ might look contradictory. It belongs to a 
quiescent state in B(S), but 2 is not quiescent. One could have the idea 
to remove 22’ from the quiescent state during the construction. But this 
would remove 53’ from the next state, and the resulting {63’} would have 
no output (and satisfy 38 ii)). But oto is possible in a common refinement, 
namely in $8(S) = S$; A Sg, which is isomorphic to Sz. Note that S; has the 
quiescent traces o and oio. 
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Figure 12: E¢yxK-conjunction according to [5] 
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Since S; and Sy are without error states and 7-transitions, Ep;, and 
EcyK coincide, and hence the conjunctions should as well. It may be 
instructive to see how the construction in [5] fails in this case: it builds the 
Cartesian product and then — without any powerset construction — removes 
inconsistent states in the same way as we do (at least in this example). 


Fig. 12 shows four initial states and all their outgoing transitions. States 
22’ and 63’ do not allow quiescence, hence become elements of X as > is 
denoted there. Then, 32’ satisfies Clause i) and subsequently 11’ satisfies 
Clause ii). According to this, there is no common refinement. 


It is well known that 8(S) is deterministic and, for each w € * and P € 
Qs, we have qo => P if and only if P = {(q1,@2) | (qo1, 402) => (a1, 92)}- 
Hence, for S as well as $B(.S'), we know that EDT = EDT, EDT»? and 
EDL =L= EDI, EDL»; cf. Lemma 24 and the remark in the proof of 
Thm. 26. Hence, a common Epj;,-refinement R of S; and Sp is at least an 
Cp-refinement of (9). 


Next we argue that, by removing §, we do not remove a trace that could 
appear in FDL(R) for such an R, i.e. it cannot appear in any part of its 
divergence semantics. Note that an error state is never in §: if (e1,e2) € P 
and P ~» P’, then (e1,e2) € P’; thus, the first error state added to $ could 
not be added according to i). Furthermore, each error state allows quiescence, 
so it is surely not added to § according to ii). 


Lemma 39. Let R Epiy S; and R Epi, So for $1 and Sg as in the above 
definition. Let w € &* and Py € Qx. 


i) Py allows quiescence if and only if w € QDT,;NQDT2. 
ti) Py € & implies that w € EDL(R). 
tii) B(S) and S; A Sz are divergence-free EIOs. 


Proof: i) Obvious from the above considerations and the definition 
of allowing quiescence. Recall that the systems under consideration are 
divergence-free and 5S; and $2 are in normal form. 

ii) The proof is by (possibly transfinite for infinite O) induction on 
the derivation. If P,, € ¥ due to Rule i), then P,,; € ¥ and, by induction, 
wi ¢ EDL(R). Due to input-enabledness, this implies w ¢ EDL(R). 

If Py € & due to Rule ii), then it does not allow quiescence, and we 
cannot have w € QDT(R) C QDT,N QDT>» by Item i). Furthermore, for 
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each output o, either P,, 4 or P, > P!,, € §. In either case, wo ¢ EDL(R). 
Thus, w € EDL(R) would contradict Lemma 35. 

iii) The first is obvious. S$; A S2 is input-enabled due to Rule i) and 
since the quiescence correction preserves input-enabledness. 


Theorem 40 (Conjunction). For three EIOs R, S; and S2 with the same 
signature, we have that R Epi, S, A So if and only if R Epi, S$, and 
R Epiy So. 


Proof: We can assume that R, S; and S»2 are divergence-free and in 
normal form. By Lemma 39, it suffices to check the claim for Eg, in place 


of Epi. 

»=“: For the system $8(S) above, we have ET = ET, ET». and 
EL=L= EL Elz, hence R Eg PS). Due to Lemma 39 ii) and since 
quiescence correction does not change the language or the (strict) error 
traces, we also have R Eg S1 A So. 

If w is a qsc- but not an error trace of R, Py, exists in S; A S2 by 
Lemma 39 ii) since w € L(R). By assumption, w € QET,;N QET», and P, 
allows quiescence by Lemma 39 i). Hence, w is a strict qsc-trace in Sy A\ S 
due to P,, or Py. 

yo: It suffices to show that S; A So Egui Si and 5S; A Sp Egui Se, 
where the latter follows from the former by symmetry. 

By the arguments for ,.=“, we have S; A So Cpr 51. If w is a qsc- but 
not an error trace of SA 59, this is either due to P, and w € QET;NQET» 
by Lemma 39 i), or Py is quiescent after the removal of ¥. Then, because of 
Rule ii), we conclude that P,, allows quiescence and we are done as in the 
first subcase. 


6 Quotient 


Here, we extend the divergence-sensitive approach of the previous section 
by a quotient operation. This is a kind of inverse or adjoined operation to 
parallel composition. With this operation, we can reuse components and do 
an incremental component-based specification. Given two EIOs S and D, the 
quotient is the coarsest EIO P such that P||D Cpj;, S holds, and we denote 
it by S//D if the quotient exists. In the following, we call S' the specification, 
D the divisor and P a solution of the quotient inequality. One should think 
of D as an already implemented component, and P is a completion of D 
such that P||D meets the specification S. 
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This section has profited from studying the quotients in [3] and [5]. 
The setting in [3] is based on modal transition systems with an alternating 
simulation relation as refinement. The quotient in [5] is based on slightly 
different trace set inclusions for refinement as discussed above, and only 
deterministic EIOs are considered. 

In fact, quotient operators usually need some determinism assumption. 
In contrast, we treat arbitrary EIOs, but we bring S and D in some suitable 
normal form. This normal form uses a variation of EIOs with an additional 
function that assigns a bit to each state. Bit 1 indicates that the state can 
be regarded as quiescent even if, possibly, it is not. 


Definition 41 (Bit-EIO). A bit-EIO is a divergence-free EIO S = (Q,1,O, 
6, qo, £,b) with an additional function b: Q > B. Satisfying for every q € Q: 
if q is quiescent and q ¢ E then b(q) = 1; ifq € E then b(q) = 

For a bit-EIO, the various trace sets are defined as for an EIO, except 
that the strict quiescent traces are StQT(S) = {w | qo => q and b(q) = 1}. 
Consequently, QET and QDT are obtained by adding ET and EDT resp. 
Thus, Epiy ts defined between arbitrary EIOs and bit-EIOs. 


To bring S and D in the intended normal form, we apply some powerset 
construction to S and D similar to Def. 38. The result will be a deterministic 
bit-EIO. During the powerset construction we ‘loose’ the quiescent states 
that have incoming traces which could be extended by some output in some 
other state. Hence, we mark a state of the new system by bit 1, if it contains 
a quiescent state of the original EIO. 

Before going on, we show that each bit-EIO can be translated into an 
equivalent EIO. If the bit-EIO is deterministic, the equivalent EIO is ‘almost’ 
deterministic, but usually not completely so. For the translation, we add for 
every q with b(q) = 1 a fresh state g that inherits all incoming transitions 
and all outgoing input transitions of the original state. If q is the initial 
state, we also add a 7-transition from the original go to q@. 


Definition 42 (Quiescence Correction). For a bit-EIO Ss = (0.7.0 ,0,a5, 
E,b), the quiescent correction is the EIO QC(S) = (Q U {@ | b(q) = 1}, 
I,O,6 U 6',qo,E) with 6’ = {(d,a,% | (d,a,q) € 6 and b(q) = 1} U 
{(7, 4,7) | (q,4,d') € 6,a€ I and b(q) = 1} U {(q0,7,%) | b(g0) = 1}- 


Proposition 43. Every bit-EIO S' is equivalent to its quiescent correction 
QOG(S) wird. Crip: 
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Proof: For the set inclusion regarding EDT, recall that there are no 
divergence traces. In fact, it suffices to consider the strict error traces. A 
run for a strict error trace w € StET(S) leads to a state in E. Since all 
transitions of S are also in QC(S), we get w € StET(QC(S)). Similarly, 
L(S) © L(QC(S)). 

For w € StQT(S), a run in S can reach a state q with b(q) = 1 when 
executing w. This run also exists in QC(S), and the last transition can be 
redirected to G because b(q) = 1. For w = ¢, the run in QC(S) consists 
of (qo, 7,90). Since g only inherits the outgoing input transitions of q, it is 
quiescent, and w € StQT(QC(S)). 

For the reverse inclusions, we note that a run in QC(S) for trace w 
could use some fresh states. All incoming and outgoing transitions of fresh 
states are duplicates of the incoming and outgoing transitions of the original 
states. So the same trace w is also executable in QC(S) without using 
the fresh copies, and the respective run exists in S' as well. This shows 
L(QC(S)) C L(S) and, noting that error states have no fresh copy, also 
EDT(QC(S)) C EDT(S). 

A run for w € StQT(QC(S)) can end in an original state g, and we can 
use the same arguments. If it ends in some @, we have b(q) = 1. As above, 
w can also be executed in S, reaching g. This shows that w € StQT(S) in 
any case, and we are done. All in all, we have shown the equivalence of S$ 
and QC(S) w.r.t. Epi. 

Now we define the new normal form and how it can be obtained. 


Definition 44 (Qui-Div-Normal Form). A bit-EIO is in qui-div-normal 
form (qui-div-NF), if it is deterministic (hence divergence-free) and in normal 
form. 

By Def. 86 and Prop. 37, we can assume that we have an EIO S' in divergence 
normal form with only error state e. The qui-div-NF of S is the bit-EIO 
QDF(S) obtained from S as follows. First, we construct the power-EIO 
QD(S) of S as follows: 


© Qap = P(Q), 
e the signature is (I,O), 


© wap = {¢| a > 4G. 
Eagp ={P|e€ P}, 


° dap consists of all transitions P 4 {q | Iq e€ P:q SS qd} with 
aed. 
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We restrict QD(S) to the reachable part and say that P € Qgp allows 
quiescence if some q € P is quiescent. QDF(S) is obtained from QD(S) by 
performing the normal form construction NF(QD(S)), resulting in a new 
system whose only error state is called e again. Finally, we add the function 
b that assigns 1 to a state P that allows quiescence and 0 to all other states 
including the new error state. 


Due to the first normal form assumption, the last normalization simply 
merges all error states into the new e and keeps all other states and tran- 
sitions. Furthermore, b(e) = 0. QDF(S) is in normal form due to the last 
construction step. Hence Lemma 24 holds for all bit-EIOs in qui-div-NF. 


Proposition 45. Each EIO S is equivalent to the bit-EIO QDF(S) w.r.t. 
Cow. QDF(S) is deterministic and in normal form. 


Proof: The powerset construction gives a deterministic system. Deter- 
minism is preserved and normal form enforced by the last step. 

The powerset construction preserves all languages in the automata- 
theoretic sense if we define some set of final states in S (e.g. {e}) and 
the corresponding set of states in QD(S) (Egp in the example). The 
given example shows that the EDT-semantics is preserved in the powerset 
construction, and it is also in the succeeding normalization. Choosing all 
states in S and QD(S) shows the preservation of the L-semantics. 

For the treatment of quiescence, we choose the set of quiescent states 
in S and the P allowing quiescence in QD(S); hence, the StQT-semantics 
is preserved in the powerset construction. Function b is chosen such that 
it is also preserved in the normalization except for traces reaching some P 
that allows quiescence and contains the original e. Since these traces are in 
EDT(QDF(S)), at least the QDT-semantics is preserved, and we are done. 


We now define a structure the quotient will be based on. In the following 
we will use s, d and p to denote a state of S, D and a prospective solution 
P resp. 


Definition 46 (Pseudo-quotient). Let S and D be bit-EIOs in qui-div-NF 
with Up C Ug and Op C Og. We set I= Ig UOp and O = Og\Op. 

The pseudo-quotient S over D is defined as the bit-EIO S@ D = ({(es,ep)}, 
T,O, {(es,ep) > (es, ep) | a € D}, (es, ep), {(€s, ep) },6), if 80 = es. Oth- 
erwise, S@D=(S x D,I,O,6,(s0, do), {(es, ep) }, 6) where b and the tran- 
sition relation are defined by the following rules: 
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(Q1) (s,d) > 
(Q2) (s,d) > 
d) > 


( ' d), ifs 5 s'Aa€X\UpAs' £eg (s # es), 
( 

(Q3) (s,d) *+ (eg, ep), ifs Ss eg As #eg (then: a€ Is CI), 
( 
(s, 


(s 
( 


sd), ifs S38 Ad Spd AacupAs Fes (8s # es), 


(Q4) (es,ep) > (es, ep), if es gs es (applies for all a € 5), 


(Q5) (s,d) % (es,ep), if d Ap Aae INUp As F< eg (only for a € Op 


possible). 


b(s,d) = 0, if (s,d) = (es,ep) or b(s) = 0A b(d) = 


1, otherwise. 


For a state (s,d) € S @ D, the intuition is that (s,d) in parallel with d 
has only traces that s can also execute, and that (s,d) should be the coarsest 
state with respect to Epj, satisfying the condition. 

Rule (Q1) is necessary due to the following consideration. If S has 
an a-transition where a is unknown to D, this can only originate from an 


a-transition in the quotient that we wish to construct. 

Rule (Q2) is obvious in the light of the choice of alphabet in Def. 46. As 
S@D has all actions of S and D in its alphabet, it also needs an a-transition 
to produce such a transition at (s, d)||d. 

For Rule (Q1) and (Q2) we know that s cannot be eg. Otherwise S 
would have a transition eg “+g s' 4 eg. That is not possible because S' is in 
qui-div-NF. 

Rule (Q3) deals with reaching the error state in S. Obviously, (eg, ep) 
is the most general state of S @ D. Intuitively, this rule combines (Q1) 
and (Q2) and replaces all states (es,d) by (eg,ep). S is in qui-div-NF and 
hence also in normal form. Thus, all transitions leading from a non-error 
state to the error state are labeled with an input. All inputs of S are inputs 
of the pseudo-quotient. So Rule (Q3) only generates input-transitions. 

Rule (Q4) generates a transition loop at the error state for all a € Ny. 
As usual, © is the union of J and O. Hence, © = Is UOp UOg\Op = 
Ig UOg = Ng. 

Rule (Q5) makes S @ D almost input-enabled. Action a € I is blocked 
by d, so it can only be an output of D since D is input-enabled. The 
a-transition introduced here just disappears in (5 @ D)||D, since a is blocked 
by d. 

With 6 we allow quiescence for most states in the quotient except for 
the error state and for states (s,b) where s does not allow quiescence but d 
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does. In the latter case, b(s,d) = 0 could violate a condition of bit-EIOs 
because (s,d) could have no outgoing output-transitions. Such an (s, d) is 
reached by a quiescent trace in parallel composition with d, which could be 
quiescent as well. The only reachable state of S with the same trace is s, 
which does not allow quiescence and is not the error state. Such an (s, d) 
will be removed in the quotient due to the next definition; cf. (F3). 

The pseudo-quotient can contain pairs (s,d) where it is impossible that s 
has the required properties that result from the parallel composition of (s, d) 
and d. We call such pairs impossible states and remove them from the 
pseudo-quotient. In order to prevent the enforced reachability of impossible 
states, all states having an input transition to impossible states must also 
be removed. This pruning due to (F4) results in the quotient. 


Definition 47 (Quotient). Let S @ D be the pseudo-quotient of S over D. 
The set F C S x D of impossible states is defined as the least set satisfying 
the following rules: 


(F1) s#egs A\d=ep implies (s,d) € F, 
(F2) s #5 Ad Sp anda € Op implies (s,d) € F (only possible for s # eg), 


(F3) (s,d) € F whenever b(s) = 0Ab(d) =1 and Va € O: if (s,d) 4 (s',d’) 
then (s',d') € F, 


(F4) (s,d) 4 (s',d') € F anda € I implies (s,d) € F. 


The quotient S//D is obtained by deleting all states (s,d) € F and all 
unreachable states except (es,ep) from S@D. This also removes any 
transition exiting or entering the deleted state. If (s,d) € S//D, then we 
write s//d. If (so,do) ¢ S//D, then the quotient S over D is not defined. 

In the remainder, we will work with the quotient being represented by 
the bit-EIO S//D. Since it should really be an EIO, one has to replace it in 
the end by QC(S//D). 


Rule (F1) captures the division by ep: state ep, in parallel with any 
state is an error state thus there is an error trace that S (in qui-div-NF) 
with s 4 eg cannot match. 

Rule (F2) can only be applied for s 4 eg, since eg has for each a an 
outgoing transition to its self. The rule captures the situation where d has 
an output a that is not implemented at s. Offering an a-input-transition in 
the quotient would lead to an a-transition in the parallel composition with d, 
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while not offering a would lead to an error; both would lead to a trace in 
the parallel composition which an S' in qui-div-NF cannot match. 

Rule (F3) cuts out states which would be quiescent in the parallel 
composition with D (possibly after removing other states) but have no 
quiescent counterpart in S. 

Finally, Rule (F4) propagates back all impossibilities that cannot be 
avoided by refining, since (s,d) must have an input a-transition. 

Before we go on we will show an example for the quotient construction, 
see Figure 13. For the example we have Is = {i1,i2}, Os = {01,02}, 
Ip = {t1,02}, Op = {01} and, hence, I = {i1,%2,01}, O = {02} for the 
signature of the pseudo-quotient and quotient. Ug, Up and » at the loops of 
the error states in the figure represent all actions of the set. All states which 
are mapped to 1 by 0 are underlined in the example. If a state is quiescent 
in S' or D it has to be marked with 1 by function b. Additionally in S, so 
allows quiescence; this means that the only output 02 is optional. The result 
is that 59, 52, 54, 56, do, do, d3,d4 are the states which are mapped to 1 by 8. 
All other states of S and D have 0 as value of b. In particular, each of the 
outputs at s; is optional, but one of them has to be implemented. 

S has a “main cycle” 71011202, this also occurs in S//D. D contributes 7, 
and 0, to this cycle; to identify the 7; that has to be answered by 01, D 
listens in for og as input. If S performs an additional 02 from so or s1, the 
construction shows that they do not fit to D. After so “+5 s4 ~¥g 85 the 
state reached is not quiescent and also does not allow quiescence. In D, 
with the same trace only d4 can be reached, which is quiescent. Hence the 
pseudo-quotient also has the trace 027 and reaches (s5,d4) by executing this 
trace. In the parallel composition of the quotient and D the trace oi, is not 
allowed to be quiescent, because it must refine the non-quiescent trace of S. 
This implies that (s5,d4) is not allowed to be quiescent; but at the same 
time, it does not have an output: The only output of S @ D is 02, which 
is not possible for S in s5. Hence the state (s5,d4) of the pseudo-quotient 
is in F due to (F3). All other quiescent states of S @ D are mapped to 1 
by b. Additionally, (so, do) allows quiescence because so does so. The result 
is, that b is 1 for all states in {(s9, do), (1, d1), (s2, dz), (sa, d3), (86,ep)} and 
0 for all other states of S @ D. The mapping of 6 for S//D is like in S @ D 
for the states left in the quotient. With (s4,d3) >s9p (s5,d4) € F and 
i, € I, (F4) is fulfilled for (s4,d3). The conditions of (F1) and (F2) are 
both satisfied in (sg,ep), if we choose 0; for the a in (F2). The whole set of 
impossible states is F = {(s4, ds), (55, d4), (s6,ep)}. 
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a1? 0 oi? ig? 0 


S@D — 80, do — 81, d1 —> 82, dz —> 53, d 


a1? o1? 42? 0 
S//D — 89, do —> s1,d, — 89, d2 — 53, dg 


Figure 13: Example for quotient construction 
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Lemma 48. In SQ D, (es,ep) has no outgoing transitions to other states. 
Proof: We prove that no Q-rule can generate a violation. 
(Q1)/(Q2) These rules are not applicable because s 4 eg. 


(Q3)/(Q4)/(Q5) All transitions resulting from these three rules have (es, ep) 
as target state. 


Lemma 49. In S @ D, (es,ep) ¢ F. 


Proof: We prove this by induction on the derivation length according to 
the F-rules. 


(F1) Since s 4 eg holds for this rule, it cannot be applied to (es, ep). 


(F2) To apply this rule, s must have a missing outgoing transition. If s were 
the error state eg, s would have a self loop for every a € Sig. Hence, 
(s,d) cannot be (es, ep). 


(F3) State (eg,ep) has a transition loop for all a € © and, due to Lemma 48, 
(es, ep) has no transitions leading to other states. So (s’, d’) = (es, ep) 
is not in F’ by induction. 


(F4) With the same argumentation as for Rule (F3), this rule would insert 
(es,ep) only into F if another rule has done it before. 


Lemma 50. Let S and D be bit-EIOs in qui-div-NF. Then S//D is a bit-EIO 
in qui-div-NF if it is defined. In particular, S//D (if it exists) is input-enabled 
and deterministic. 


Proof: We assume that S'//D is defined. 

In the first part, we consider the properties of a bit-EIO and, first of 
all, input-enabledness. Let s//d¢€S//Dandae TI. If s=eg, then d= ep 
since otherwise (s,d) has no ingoing transitions in S @ D and is therefore 
unreachable. Thus, we are done by (Q4). So let s £ eg. 

We first consider a € Ig. Then, we have a transition s +g s’ and get 
some (s,d) “s (s’,d’) in S @ D by (Q1) — (Q3); note that a € Ep implies 
aé€Ipandd Spd for some d’. If this input-transition were deleted since 
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(s’,d’) is removed due to Def. 47, then also (s,d) would be removed due 
to (F4). 

Second, let a € Op. If d #p, we are done by (Q5) and Lemma 49. 
Otherwise, we done by (Q2) as above, or (s,d) would be removed by (F2). 

Clearly, S'//D is divergence-free since no 7-transitions are generated in 
Def. 46. Concerning the requirements for 6 we observe that, by Lemma, 49, 
S//D has the unique error state (es,ep) and b(es,ep) = 0 by Def. 46. For 
a state s//d 4 (es, ep), the only problem could be that b(s,d) = 0 according 
to Def. 46, though (s, d) is quiescent. But in this case, b(s) = 0 and b(d) = 1, 
so (s,d) is removed due to (F3). 


In the second part, we treat the remaining properties, and start with the 
normal form requirements. As just noted, $'//D has the unique error state 
(e€s,ep), which has a loop for all actions by (Q4) and no leaving transition 
by Lemma 48. All incoming transitions of the error state are generated by 
(Q3) and (Q5). (Q3) only generates transitions for labels in Ig C I and (Q5) 
only generates transitions for labels in Op C I. 

It remains to prove determinism. S and D are already deterministic. 
From this, we have to show that the Q-rules generate at most one transition 
for each state (s,d) and action a. The F-rules only delete transitions. 
Therefore they cannot introduce a violation of determinism. 

We note that each rule on its own can generate at most one transition 
for (s,d) and a. So we only have to exclude that two rules generate an 
a-transition for the same (s, d). 


(Q1) If (Q1) generates an a-transition, a is not in Up and the target state of 
the underlying transition in S$ is not the error state. This contradicts 
a € Sp in (Q2) and (Q5) and eg as target state in (Q3) and (Q4). 


(Q2) If (Q2) generates an a-transition, the target state of the underlying 
transition in S is not the error state and also D has an underlying 
a-transition. This contradicts eg as target state of the first underlying 
transition in (Q3) and (Q4), and the non-existence of the underlying 
a-transition in D in (Q5). 


(Q3) If (Q3) generates an a-transition from (s,d) to the error state, there 
must be an underlying transition in S with source state s #4 eg. This 
contradicts eg as source state of the underlying transition from S 
in (Q4). Action a is in Ig in (Q3), hence not in Op C Og. Therefore, 
also (Q5) cannot introduce an a-transition. 
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(Q4) The a-transition generated by this rule has the underlying transition 
eg —>g eg. The source state of this transition makes it impossible to 
use Rule (Q5) for an a-transition from (s, d). 


We note that, since $//D is in qui-div-NF, Lemma 24 also holds for 
the quotient. We will now show our main result that the quotient operation 
above yields the coarsest bit-EIO satisfying the defining inequality. For this 
proof, the next lemma ensures the definiteness of //. 


Lemma 51. Let S and D be bit-EIOs in qui-div-NF, and let P be an 
EIO with Up C Ug, Op C Og, Op = Ogs\Op and Ip = Ig UOp. If 
P\||QC(D) Cow S, then S//D is defined. 


Proof: We assume that P is in divergence normal form. This assumption 
merely simplifies the proof somewhat, but this divergence normal form 
has never to be computed. We will write +) and — 9 as shorthand for 
pd) soa. For this proof, we define the new relation E by: plld C s if 
dw € X% : polldo =| p\|d A so 5 8. 

We will show the claim that, for all (s,d) € F’, there cannot exist any p 
with p||d C s, arguing that the respective trace w with its extensions would 
violate P||QC(D) Epi» S. Then we are done, since po||do E so due to w = €. 

We prove this claim by induction on the derivation length according to 
the F-rules. In each case, we assume p||d EC s due to w for some p € P and 
derive a contradiction. 


(F1) s#eg9 \d=ep: Here p|ld is an inherited error in P||QC(D). Hence 
w € ET(P||QC(D)) C EDT(P||QC(D)), but w ¢ ET(S) = EDT(S) 
since S is in qui-div-NF. 


(F2) s Asg,d Sp and a € Op: s 4 eg because eg has transition loops 
for alla € Sg. By plld C s and wa ¢ EL(S) = EDL(S), we know 
p\|d Po. This can only happen if p #+p; but a is an input of P, which 
is input-enabled — a contradiction. 


(F3) b(s) = 0, b(d) = 1 and Va € O: if (s,d) “sg (s',d’) then (s',d’) € F: 
Here, s cannot be eg because then (s,d) would be (eg, ep), and this is 


not possible due to Lemma 48 and Lemma 49. 


SS 


By 6(d) = 1, we also have po|{do =| p||d. If p is quiescent then 
w € StQT(P||QC(D)), but w ¢ QDT(S) since b(s) = 0, s # eg and s 
is in qui-div-NF. 
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Thus, p has to have an outgoing transition p “+p p’ for some a € O 
and p’. Action a is an input for D or not in its alphabet. Hence, p]||d 
will inherit the a-transition from p as p||d “+ p’||d’ (where d’ could 
be d). The result is wa € L(P||QC(D)) C EDL(P||QC(D)). Since 
P\|QC(D) Cow S, we know wa € EDL(S) = EL(S); since S is in 
qui-div-NF, this implies s “+g s’ for some s’. 


Given our considerations about d and a, we have (s,d) “Sg (s',d’) by 
one of (Q1),(Q2) and (Q3). Thus, (s’,d’) € F by assumption of (F3) 
and (s’,d’) satisfies our claim by induction. At the same time, we have 
po|ldo =>) p'||d’ A so ==> 8’, a contradiction. 


(F4) (s,d) 4 (s',d') € F and a € I: Our claim holds for (s’,d’) by 


induction hypothesis, and the transition is due to one of the Q-rules: 


YS 


(Q1)/(Q2) Action a is an input for P and P has to be input-enabled. 
Hence p “>p p! for some p’. In parallel with d, we get the transition 
p\|d “+ p'||d’ because in (Q1) a is not in Ep (d’ = d) and (Q2) 
requires d to have an a-transition to d’. For the target state 
p'\\d' C s’ holds. This contradicts (s’,d’) € F. 

(Q3)/(Q4)/(Q5) Transitions that exist due to these three rules have 
(es,ep) as target state, which cannot be in F' due to Lemma 49. 


The parallel composition of EIOs is defined if the output action sets are 
disjoint. The output action set of P is defined as Op = Og\Op in Lemma 51 
and the following theorem. This set and Op are clearly disjoint. 


Theorem 52. Let S and D be bit-EIOs in qui-div-NF and P an EIO 
such that Up C Xg, Op C Og, Op = Og\Op and Ip = Is UOp. Then, 
PCpiy S/D with S//D defined iff P\||QC(D) Epi S. 


Proof: Again, we can assume that P is in divergence normal form. 

»=>“: We show that the trace set inclusions for P||QC(D) Epiy S' hold, 
if they hold for P Epi, S//D. 

First, we take a prefix minimal w € EDT(P||QC(D)) and show that w 
is also in EDT(S). Some wv with v € O% reaches an error state in P||QC(D), 
since divergence is not possible. 

If this fault is inherited from D, wv|y,, is a strict error trace in D 
and P can execute wv. P is a refinement of the defined quotient $//D, 
so wv is a trace in S//D. This must be due to the Q-rules without (Q5) and 
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thus wv must also be an executable trace in S; in particular, none of the 
states reached in this trace are allowed to fulfill (F1). Hence wv must be in 
EDT(S) and, by v € O%, also w € EDT(S). 

If the error in P||QC(D) is inherited from P, we know wv € EDT(P) C 
EDT(S/D). The underlying run in S//D reaches the error state (eg, ep) 
and the transitions of this run exist due to the Q-rules. (Q5) cannot play 
a rdle here because wv|y,, is a trace for D. Hence, S takes part in all 
transitions to execute wv. The transition in (S'//D) which reaches the error 
state results from (Q3), and the underlying transition of S reaches eg. Thus 
wu € EDT(S) and, by v € O%, also w € EDT(S). 


For the next trace set inclusion, it is enough to show for a w € StQT(P 
||QC(D)) that it is also contained in QDT(S). Since w reaches a quiescent 
state in the parallel composition of P and QC(D), Lemma 16 tells us that 
this can only happen if both states of the components are already quiescent. 
Thus, P reaches a quiescent state with w and QC(D) with w|y,. The 
quiescent trace of P is a quiescent or an error trace of S//D. The trace in 
S//D results from the Q-rules which require underlying transitions in S. 

Since S//D is in qui-div-NF, it can really execute this trace. The last 
state reached is either the error state and we can conclude from the Q-rules 
that w € EDT(S), or the last state s//d counts as quiescent. In the latter 
case, all transitions on the run in S//D are due to (Q1) and (Q2). Hence, 
the run in QC(D) ends in d (or maybe d, if d is quiescent), i.e. b(d) = 1. 
Since b(s,d) = 1, this implies b(s) = 1 and w € StQT(S). 

As the last point, we have to show EDL(P||QC(D)) CEDL(S). With 
the above argumentation, it is enough to consider w € L(P||QC(D))\EDT(P 
||QC(D)). This w is executable in the parallel composition of P and QC(D). 
Hence w € L(P) C EDL(S/D). Again, w is a trace in S//D due to the 
Q-rules without (Q5). Thus, it is also a trace in S and w € L(S) C EDL(S). 


»<=“: We show that the trace set inclusions for P Epi, S//D hold, if 
they hold for P||QC(D) Epi, S. With Lemma 51 we know that $//D is 
defined here. 

First, for w € EDT(P), we have to show that w is also in EDT(S/D). 
Since P is in normal form, it can execute the trace. 

If D can match all actions on w|y,, w is in EDT(P||QC(D)) and 
executable. With P||QC(D) Epi S, we conclude that w € EDT(S). This 
can only result from a run in S' which reaches eg. With (Q1), (Q2), (Q3) 
and (Q4), we also get a run for w in S @ D; as in the proof of Lemma 51, all 
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states on this run are not in F’, hence in S//D. Therefore, the run reaches 
the error state (eg,ep), proving w € EDT(S//D). 

If D is not able to match all actions of w|y,, this is due to a missing 
output transition after the execution of a prefix of w|y,,. The corresponding 
prefix v of w is executable in the parallel composition of P and QC(D) and, 
by P||QC(D) Epi S, v is also in the language of S. With the first four 
Q-rules, this prefix is also executable in S//D as above. After this prefix, a 
state is reached in S//D where the conditions of (Q5) are fulfilled for the next 
action on w. Hence, a prefix of w reaches the error state in S//D implying 
weée EDT(S/D). 


It is enough to consider some w € StQT(P)\EDT(P) for the next 
inclusion. If D cannot match all actions for wly,,, w is an error trace in 
SD like argued above. So we consider D to have w|y,, as an executable 
trace. 

If wlp, € EDT(D), QC(D) passes an error on to the parallel compo- 
sition, and with P||QC(D) Cp, S also w € EDT(S) follows. From the 
Q-rules we conclude that w € EDT(S//D) C QDT(S/D). 

If wlp, € StQT(D)\EDT(D), the parallel composition P||QC(D) has 
w as strict quiescent trace. With P||QC(D) Cp S, we get w € QDT(S). 
If w € EDT(S), w € EDT(S//D) follows with the above argumentation. 
If w € StQT(S)\EDT(S), S reaches a state s with b(s) = 1 after w. 
Again, S//D can perform w reaching some s//d. Since b(s//d) = 1, we have 
w € StQT(S//D), and in any case w € QDT(S//D). 

If wip, € L(D)\QDT(D), the parallel composition P||QC(D) can 
execute w but does not reach any faulty state along the way. With P||QC(D) 
Cpw S we have w € EDL(S). If w € EDT(S), we are again done with 
the arguments from above. For w € L(S)\EDT(S), we get w € L(S//D) 
with (Q1) and (Q2). The state in QC(D) which is reached by w|y,, cannot 
be quiescent, hence b maps this state to 0. Thus, with the rules for 6 
of S @ D, the state in S//D which is reached by w is mapped to 1 and 
w € StQT(S/D) CQDT(S/D). 

The last inclusion we have to show is L(P)\EDT(P) C EDL(S//D). 
We take a w € L(P)\EDT(P). If D cannot match all actions which are 
required for w|y,, w is an error trace in S//D like argued above. So we 
consider D to have w|y,, as an executable trace. 

If w|p, € EDT(D), QC(D) passes an error on to the parallel composi- 
tion and, with P||QC(D) Epi» S, also w € EDT(S) follows. As above, we 
get with the Q-rules that w € EDT(S//D) C EDL(S//D). 
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If wip, € L(D)\EDT(D), we get w € L(P||QC(D)) and conclude 
w € EDL(S) with P||QC(D) Cow S. If w € EDT(S), we are done with 
the arguments from above. Otherwise, we get w € L(S//D) C EDL(S/D) 
with (Q1) and (Q2). 

From this theorem we can also conclude that // is monotonous w.r.t. 
Epi, in the left argument. 


Theorem 53. Let S),52,D be bit-EIOs in qui-div-NF with S,; ECpiy So. If 
Si //D is defined, then S2//D is defined and S)//D Cpiy S2//D. 


Proof: If 5, //D is defined, then QC(S1//D)||QC(D) Epiv Si by Thm. 52. 
Applying the assumption $; Epjy S2, transitivity of Epjy and Thm. 52 
again, we conclude that $,//D Epi» $2//D; in particular, $2//D is also 
defined. 


7 Conclusion 


A refinement preorder should ensure that some desired properties are pre- 
served in a refinement step, and it should support compositional reasoning. 
Optimally, it rejects a prospective refinement only if the two goals make it 
necessary. With the coarsest-precongruence approach we followed in this 
paper, one can find such optimal preorders. The approach is most attrac- 
tive in cases where one starts from a simple property, but gets a preorder 
that preserves much stronger properties. In this paper, we considered the 
property that a system cannot run into a fault autonomously, with three 
variants of fault. In the first case, a fault is a communication mismatch, 
called error. We characterized the coarsest precongruence with the sets ET 
and EL. The error traces of the first set also describe how errors can arise 
non-autonomously in parallel compositions, the second set restricts also the 
error-free behaviour of a refinement. 

We obtained two further precongruences on the basis that a fault can 
also be a quiescence or can also be a quiescence or divergence. The last 
of these precongruences shows that, for an optimal preorder, divergence is 
as catastrophic as an error (while quiescence is less harmful). This is in 
contrast to the declarative semantics presented in [5]. We showed that all 
our precongruences are also compositional w.r.t. hiding and presented a 
conjunction operator for each of them. Finally, we introduced a quotient 
operator (being adjoint to parallel composition). While the quotient results 
in [5] are restricted to deterministic systems, we treated arbitrary ElOs 
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here. For defining the quotient and proving its characteristic property, we 
developed a new structure, and these new bit-EIOs can represent all EIOs 
in an almost deterministic way. 

In particular in the context of conjunction, it would also be interesting 
to allow alphabet extension in a refinement step. Think of two EIOs that 
specify two properties concerning different sets of actions. Then, a common 
refinement should have all actions, i.e. more than any of the two conjuncts; 
cf. e.g. [3]. In [5], an alphabet change is possible, resulting in more inputs 
and fewer outputs; this is technically easier in a setting that regards outputs 
as a source for errors. But the scenario just described makes clear why we 
want to be able to also enlarge the set of outputs. 
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